General
-
Target
8577d539f08c0151f39ae14b00f0c87d27da6fa49de660b2c67377b6cf0c0c8a
-
Size
164KB
-
Sample
220521-br5yysfder
-
MD5
f966d3734e6f2f838349d0cd77e1f61f
-
SHA1
dce405ddfccd4226f3be83549c9951eab41849a1
-
SHA256
8577d539f08c0151f39ae14b00f0c87d27da6fa49de660b2c67377b6cf0c0c8a
-
SHA512
fbe2e3a96feaa7572967a9ea7643a6fb69ab33158b2fa526d3bee7d4cbec34bd7dd22743ba8e1b09d467ceeace912cd841173b22db103e19e698589b70e632b6
Static task
static1
Behavioral task
behavioral1
Sample
updtd-paymentcopy.xls.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
updtd-paymentcopy.xls.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
lokibot
http://tradeslushpool.com/widgets/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
updtd-paymentcopy.xls.exe
-
Size
205KB
-
MD5
a46f773ea9590ab7e9670b8834daaf76
-
SHA1
2724e0a06beb614b52311571b0ddab0c9e99260f
-
SHA256
2c47fd67c3768c03972a8883c7313a4c06445b0c1b92c286abc611820fa33580
-
SHA512
30e1fc71f4a051435028155b27c621e93c17d9ced96f90f18b178e902ceecbc0673733905e28e28f6a9e8be6c21d55dc29d933634f6a98c2f53dc67cdfc2f636
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-